syscfg23.exe ?

[Sadalsud]

Hello, I'm the administrator for a small group of Windows 2000/XP machines and
saw this service appear on them last Friday afternoon. The process was using
100% of the CPU utilization on each machine. I did a netstat on a couple of
machines and saw that the machines appeared to be doing some port scanning. I
tried scanning each machine using Ad-aware, McAffee, and Trend Micro's
Housecall website (all with the latest updates), but they did not detect the
virus. All of my attempts to remove the service have failed so far. I looked
through the Run, RunServices, and RunOnce folders in the registry and didn't
see anything suspicious. Has anyone else come across this worm? I tried doing
some searches on Google, but that didn't turn up anything for syscfg23. Also,
it seems the virus is propagating through network shares. If anyone has come
across this worm, how did you remove it? Thank you.

 

[GateKeeper]

I believe this Symantec article will help you.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

 

[Sadalsud]

I believe this Symantec article will help you.


http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.s.worm@

mm.html

I initially thought it might be this worm, but it is for syscfg32 (not 23).
I've done google searches on "syscfg" and saw that it is a popular filename for
worms. I saw syscfg32, 34, 35, and 27. They were all related to different
worms. I'm thinking my systems have caught a new worm entirely or just a new
variant.

 

[GateKeeper]

Seems like a Trojan to me. You said you didn't see "anything
suspicious" in the commnon startup Registry keys. Have you tried
disabling them one at a time with msconfig to see if the activity stops?

 

[Sadalsud]

(e-mail address removed)

Seems like a Trojan to me. You said you didn't see "anything
suspicious" in the commnon startup Registry keys. Have you tried
disabling them one at a time with msconfig to see if the activity stops?

Disabling and verifying each of the processes in the registery startup keys is
the next thing I'm going to do. I shut everything down for the weekend so I
could do some research. I was just wondering if anyone else had come across
this nasty creation.

I did note that manually killing the task from task manager never helped. It
would just show up a couple minutes later. Sometimes, syscfg23 would show up
twice in Task Manager with different owners. Also, deleting all files named
syscfg23.exe didn't help either. The file is being recreated everytime the
machine is started. I think there is a companion process that is doing that.

 

[Doug Knox MS-MVP]

Are you sure you have the filename right? SYSCFG32.EXE is a known file name of the KWBot worm.

 

[Sadalsud]

Are you sure you have the filename right? SYSCFG32.EXE is a known file =
name of the KWBot worm. =20

Yes, I'm extremely sure that it is syscfg23.exe.

 

[Czuque]

We, too, have been infected with this worm(?). While the Symantec
listing for W32.Kwbot.S.Worm@mm is similar, it is not the same beast
as we have been fighting.

We removed all computers from out network to avoid cross
contamination. We have been successful (so far) at the deletion of the
all files apearantly related to syscfg23.exe including the
\Windows\prefetch\syscfg32.exe -XXXXX.pf files. You can avoid the
"access denied" situation by doing an "end task" of syscfg.exe from
the Task Manager. We also removed all registry entries using a search
for syscfg. We are now reconnecting computers to the network and
teaching the users to use Task Manager to watch for the reoccurance of
syscfg23.exe. So far, so good. But even if we are not self reinfected,
I assume reinfection is eminent until there is a definition update to
cover this.

We found registry entries in all sorts of places. Run, Run Services
and MRU lists are just samples of where you might find something to
promote either automatic or manual startup of syscfg.exe.

Just a s note: We have not found this worm active on any of our
Windows 98 computers. Only on Windows XP. We had approxiately 50% of
our XP machines infected over a two day period.

Wish us luck at getting the rest of the computers in our LAN back
online.